[DNM] Open for testing #216

mattmoor · 2021-10-27T02:27:42Z

Builds on #215.

I'm using this to test KinD on GHA.

mattmoor · 2021-10-27T04:24:42Z

Ok, I think that aside from using SoftHSM, this is very nearly ready. I've gotten past a few wrinkles around validating the OIDC token, so we're past that, and it's not clearly failing trying to interact with the googleca:

2021-10-27T04:20:24.651422404Z stderr F {"severity":"info","ts":1635308424.6512873,"caller":"api/googleca_signing_cert.go:50","message":"requesting cert from -----BEGIN CERTIFICATE-----\nMIICyjCCAlCgAwIBAgITEfJ495apY+Xh6mwKJSeVKElaSjAKBggqhkjOPQQDAzAq\nMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIx\nMDMwNzE0NDU1N1oXDTIxMDMwNzE1MDU1MFowOjEbMBkGA1UECgwSbG9yZW5jLmRA\nZ21haWwuY29tMRswGQYDVQQDDBJsb3JlbmMuZEBnbWFpbC5jb20wdjAQBgcqhkjO\nPQIBBgUrgQQAIgNiAARGGPRUeASYE7ilcb59Lplt1HS21EktIc3WyUc3rVd17BZ+\nOzVKUKlATQ8FZQ1Bcs5KFEQY+gDbSH/jmyA6LqNN1heIBh6vw9AoLQj/uMaocIAs\nMkR2gWntT9zf2g8ysGWjggEmMIIBIjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAww\nCgYIKwYBBQUHAwMwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUH4c4aC1y99X3F+Oa\nyiwx13lnwjgwHwYDVR0jBBgwFoAUyMUdAEGaJCkyUSTrDa5K7UoG0+wwgY0GCCsG\nAQUFBwEBBIGAMH4wfAYIKwYBBQUHMAKGcGh0dHA6Ly9wcml2YXRlY2EtY29udGVu\ndC02MDNmZTdlNy0wMDAwLTIyMjctYmY3NS1mNGY1ZTgwZDI5NTQuc3RvcmFnZS5n\nb29nbGVhcGlzLmNvbS9jYTM2YTFlOTYyNDJiOWZjYjE0Ni9jYS5jcnQwHQYDVR0R\nBBYwFIESbG9yZW5jLmRAZ21haWwuY29tMAoGCCqGSM49BAMDA2gAMGUCMQCsr95C\nBNieKlQUj41RB9p4IB2c+8XbMK69jXm6IHZRca65nOP4nMwFUqlE1W/OnlACMAht\nLTUlNndCw2IbG027fRqpElrc/IoIDBUa6aW7E1IL6gcnRk3MK38lkAg/jYaucw==\n-----END CERTIFICATE-----\n for 0xd2d8c0","requestID":"fulcio-server-79cf849bc8-4hj6t/i3PzGbVSxN-000001"}
2021-10-27T04:20:24.655133513Z stderr F {"severity":"info","ts":1635308424.6549308,"caller":"restapi/configure_fulcio_server.go:162","message":"[fulcio-server-79cf849bc8-4hj6t/i3PzGbVSxN-000001] \"POST http://fulcio-server.fulcio-dev.svc/api/v1/signingCert HTTP/1.1\" from 10.244.1.8:59320 - 000 0B in 18.090742ms"}
2021-10-27T04:20:24.655487114Z stderr F 
2021-10-27T04:20:24.655507214Z stderr F  panic: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
2021-10-27T04:20:24.655512614Z stderr F  
2021-10-27T04:20:24.655516114Z stderr F  -> github.com/sigstore/fulcio/pkg/ca/googleca.Client.func1
2021-10-27T04:20:24.655519114Z stderr F  ->   github.com/sigstore/fulcio/pkg/ca/googleca/googleca.go:43
2021-10-27T04:20:24.655522014Z stderr F 
2021-10-27T04:20:24.655525814Z stderr F     sync.(*Once).doSlow
2021-10-27T04:20:24.655528714Z stderr F       sync/once.go:68
2021-10-27T04:20:24.655531714Z stderr F     sync.(*Once).Do
2021-10-27T04:20:24.655534614Z stderr F       sync/once.go:59
2021-10-27T04:20:24.655537514Z stderr F     github.com/sigstore/fulcio/pkg/ca/googleca.Client
2021-10-27T04:20:24.655540614Z stderr F       github.com/sigstore/fulcio/pkg/ca/googleca/googleca.go:39
2021-10-27T04:20:24.655543814Z stderr F     github.com/sigstore/fulcio/pkg/api.GoogleCASigningCertHandler
2021-10-27T04:20:24.655547014Z stderr F       github.com/sigstore/fulcio/pkg/api/googleca_signing_cert.go:52
2021-10-27T04:20:24.655550214Z stderr F     github.com/sigstore/fulcio/pkg/api.SigningCertHandler
2021-10-27T04:20:24.655553114Z stderr F       github.com/sigstore/fulcio/pkg/api/ca.go:63
2021-10-27T04:20:24.655556414Z stderr F     github.com/sigstore/fulcio/pkg/generated/restapi/operations.SigningCertHandlerFunc.Handle
2021-10-27T04:20:24.655559414Z stderr F       github.com/sigstore/fulcio/pkg/generated/restapi/operations/signing_cert.go:37
2021-10-27T04:20:24.655562314Z stderr F     github.com/sigstore/fulcio/pkg/generated/restapi/operations.(*SigningCert).ServeHTTP
2021-10-27T04:20:24.655581614Z stderr F       github.com/sigstore/fulcio/pkg/generated/restapi/operations/signing_cert.go:84
2021-10-27T04:20:24.655584914Z stderr F     github.com/go-openapi/runtime/middleware.NewOperationExecutor.func1
2021-10-27T04:20:24.655587614Z stderr F       github.com/go-openapi/[email protected]/middleware/operation.go:28
2021-10-27T04:20:24.655590614Z stderr F     net/http.HandlerFunc.ServeHTTP
2021-10-27T04:20:24.655593914Z stderr F       net/http/server.go:2049
2021-10-27T04:20:24.655596414Z stderr F     github.com/go-openapi/runtime/middleware.NewRouter.func1
2021-10-27T04:20:24.655598914Z stderr F       github.com/go-openapi/[email protected]/middleware/router.go:78
2021-10-27T04:20:24.655601614Z stderr F     net/http.HandlerFunc.ServeHTTP
2021-10-27T04:20:24.655604214Z stderr F       net/http/server.go:2049

This adds a new flag to the Fulcio options to allow disabling `verifySCT` on keyless signing paths. The option is modeled after `InsecureSkipVerify` in `tls.Config` to convey the severity of disabling this verification, and the flag indicates that this is intended only for testing. This is related to my work here: sigstore/fulcio#216 Signed-off-by: Matt Moore <[email protected]>

Signed-off-by: Matt Moore <[email protected]>

This adds a new flag to the Fulcio options to allow disabling `verifySCT` on keyless signing paths. The option is modeled after `InsecureSkipVerify` in `tls.Config` to convey the severity of disabling this verification, and the flag indicates that this is intended only for testing. This is related to my work here: sigstore/fulcio#216 Signed-off-by: Matt Moore <[email protected]>

mattmoor force-pushed the keyless-verification branch 8 times, most recently from 009f05d to 10661c1 Compare October 27, 2021 04:17

mattmoor force-pushed the keyless-verification branch 5 times, most recently from 4549159 to 24a98da Compare October 27, 2021 20:30

mattmoor mentioned this pull request Oct 27, 2021

Allow disabling verifySCT. sigstore/cosign#955

Merged

mattmoor force-pushed the keyless-verification branch from 24a98da to 307e557 Compare October 27, 2021 20:51

[DNM] Placeholder for KinD keyless e2e test

77aeac3

Signed-off-by: Matt Moore <[email protected]>

mattmoor force-pushed the keyless-verification branch from 307e557 to 77aeac3 Compare October 27, 2021 20:57

mattmoor closed this Nov 30, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DNM] Open for testing #216

[DNM] Open for testing #216

mattmoor commented Oct 27, 2021

mattmoor commented Oct 27, 2021

[DNM] Open for testing #216

[DNM] Open for testing #216

Conversation

mattmoor commented Oct 27, 2021

mattmoor commented Oct 27, 2021